Sunday 7 June 2009

Are TFL top-up machines secure?

Another day, another FAIL.This becomes my daily routine it seems, but that's another story.
This time TFL - operating London's public transport network that covers undergound, overground, DLR, buses and whatever else comes.

During one of the Security Now! podcasts (#193 was about Conficker so it was somewhere between #194 and #196) one of the main discussion topics was (to no surprise) why Windows shouldn't be used in places like ATMs, hospital equipment (MRI scanners, heart monitors, etc) and most of other control
systems we have and use today.

In fact it's really hard not to agree with that. The arguments were very clear and sound:
  • Most if not all of those systems are "consumer grade", not any kind of "industry type" things
  • They are connected to the network
  • They are not patched in general (it works so don't touch it)
  • Most don't run any antivirus/firewall (not related to business function?)
  • Many were not planned to be put on-line in any way (but we know they are)
The machine above takes cash or card - can we trust it then? Does it run anti-virus software and firewall (it's networked - it should)? How can I be sure it won't do what some ATMs in eastern Europe did? We can't be sure of anything if they end up like above, so feel free to add those to a 'Windows no-go list' if you wish and do top-ups on-line at the TFL website - I think it will be safer than at those machines - in general they don't reinforce any trust I might have had for them some time ago.

T-Mobile (U.S.) got owned?

Few minutes ago I came across a full disclosure post saying no more no less than

Like Checkpoint Tmobile has been owned for some time. We have
everything, their databases, confidental documents, scripts and
programs from their servers,
financial documents up to 2009.
If that's true... Ouch!

Just few hours ago I was thinking "what a nice and quiet weekend evening", hmmmm... seems it was just a quiet time before the storm hits. I guess that news coming from the world may be very interesting, so let's wait and see what happens.

Saturday 6 June 2009

EC-Council courses certified by NSA

Chris Riley brought up a good post on his blog...something I totally missed in the news :-o

Following (literally) the press release from EC-Council we read "EC-Council Courseware certified to have met the CNSS Standards by the
United States National Security Agency (NSA) and the Committee on
National Security Systems (CNSS)
". Shocked? I am!

What does it change or prove?
From my point of view it says that EC-Council knows how to do marketing, which obviously they do a lot. My impression when meeting EC-Council people at different expos and conferences were like, uhmmm... security? WTF? Business is business, most important part is to keep it going. Create a business model (hey - I don't blame you for that, good you succeeded!), build brand, loyal user base, make some media stir and here you go. It's simple - if I see someone talking about security with $$$ signs in his eyes, that's a sign for me to back off and go elsewhere. That's my personal impression regarding EC-Council as an organization - full stop.

My thoughts on standards and compliance
Chris has raised in his post some really good points about material quality. I would add, that conforming to standards and requirements (be it well known old friend ISO 9001 or any other ISO-based, PCI-DSS, etc - you name it) is just a matter of proper wording in the marketing materials and in some internal paperwork. I used to work in this area for some time (ie. standards, certification, implementation, paperwork - I've been on both sides of the process, from the bottom to quite high in the chain) and I can tell you that there are two ways to achieve so called "compliance" with any "standard" I came across so far - make damn sure you do what you say you do and do it very well and that conforms to requirements... or make sure auditors don't bother reading :-) and "OK" what they got. First impression method, social engineering, etc - great place to apply those!

Paper will accept anything you want, but this doesn't change in a bit what people know, what they do, how they work, use their knowledge (how much are they worth), etc.

Nothing has changed... exactly nothing!